quasar | 418bca7ff00a6c66b907d677b1c476962d0ae01fc1f69f235aa1394d7809750c

Analysis

max time kernel
23s
max time network
24s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-01-2025 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fps unlocker.7z
Size

922KB
MD5

9012d7fa174b6a7352ba9fd42db0dc20
SHA1

ce1d6ed32b65e90bfe0f0438c45af71965124567
SHA256

418bca7ff00a6c66b907d677b1c476962d0ae01fc1f69f235aa1394d7809750c
SHA512

a3c48426411ee83cfdf5bf3501cfd1a9ec89b20efed7e69750fcb6bc66298713ed948d681a6f6f4fe219e55be7169c525be3122aa762601d930c037c402abafc
SSDEEP

12288:3x6jffKMhw5vvvs7FAbIlAB5rdOOdSJ7n/jX/BxfK8m+nU2D4c5msVhLmoe:BC3XmvHs7FbABPdSJrT/BhKwPmsV9mJ

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Inversin-43597.portmap.host:43597

Mutex

80329fd2-f063-4b06-9c7e-8dbc6278c2a3

Attributes

encryption_key
744EA1A385FEBC6DA96387411B7000D77E66B075
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000460b7-2.dat	family_quasar
behavioral1/memory/1296-5-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 3 IoCs

pid	Process
1296	Fps unlocker.exe
1528	Client.exe
1856	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3336	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133808773710743581"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3336	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3348	schtasks.exe
4816	schtasks.exe
3664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5008	chrome.exe
5008	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4880	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeRestorePrivilege	4880	7zFM.exe
Token: 35	4880	7zFM.exe
Token: SeSecurityPrivilege	4880	7zFM.exe
Token: SeDebugPrivilege	1296	Fps unlocker.exe
Token: SeDebugPrivilege	1528	Client.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeDebugPrivilege	1856	Client.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4880	7zFM.exe
4880	7zFM.exe
1528	Client.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
1856	Client.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1528	Client.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
1856	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 3664	1296	Fps unlocker.exe	93
PID 1296 wrote to memory of 3664	1296	Fps unlocker.exe	93
PID 1296 wrote to memory of 1528	1296	Fps unlocker.exe	95
PID 1296 wrote to memory of 1528	1296	Fps unlocker.exe	95
PID 5008 wrote to memory of 984	5008	chrome.exe	97
PID 5008 wrote to memory of 984	5008	chrome.exe	97
PID 1528 wrote to memory of 3348	1528	Client.exe	98
PID 1528 wrote to memory of 3348	1528	Client.exe	98
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 1388	5008	chrome.exe	100
PID 5008 wrote to memory of 2464	5008	chrome.exe	101
PID 5008 wrote to memory of 2464	5008	chrome.exe	101
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102
PID 5008 wrote to memory of 2296	5008	chrome.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Fps unlocker.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4880

C:\Users\Admin\Desktop\Fps unlocker.exe
"C:\Users\Admin\Desktop\Fps unlocker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3664
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FTIwECom884w.bat" "
    3⤵
    PID:1812
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3080
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3336
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1856
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffc0102cc40,0x7ffc0102cc4c,0x7ffc0102cc58
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1776,i,17123036035523430375,2431914803348828216,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,17123036035523430375,2431914803348828216,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,17123036035523430375,2431914803348828216,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,17123036035523430375,2431914803348828216,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,17123036035523430375,2431914803348828216,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,17123036035523430375,2431914803348828216,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4272,i,17123036035523430375,2431914803348828216,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3276,i,17123036035523430375,2431914803348828216,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,17123036035523430375,2431914803348828216,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4392,i,17123036035523430375,2431914803348828216,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3172 /prefetch:8
  2⤵
  PID:2732

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
87e478a7c355ea639e0a3e08a0808040

SHA1
633d171ac88869d667c13607a6e19fe097e6e66a

SHA256
f40d425017d6899c7d89e6dfa9b855128e8428016975ca5c8cfe8f83c3f58da7

SHA512
a4bc3c308ecf6cd3c864853284545065f548e36f09a838616c41aff4df67e541e1d49f510c18c9547229838c5c3bd79e0d041ed76e599d789461a09fd7fa7265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9553d23f21c7e56072771b7584277f30

SHA1
ecf1b5de564f7c9b9da8d8b0f105179fcc48b790

SHA256
947559725541f13f22655655c9c061e95ab85c64ed4f961bebc05569330c47b8

SHA512
7bbebaabb25c5a9a05f2165a89b9f61cb001a2d641952523b8cfc61ad37abcceff248f982303b0413cf8d69d737540e6b8b031ff375f7659495fea2e228a9cc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
b4d47a00ed4e8d5783b70211a5ddaf4d

SHA1
ef4956702c393c6bc318a5e54983a450ad8f009e

SHA256
2896d3808b2b08ec660428c6b0b3d24a3e2b7ad9055dc17b399f592668f82630

SHA512
3a8aa3554a34258c4b3c12b414a7ea45c8d0725b0e1d184a37f952c11bf32ea88fcfc5629447b0925f96ff3ea01ca2d76fac6d4da00e98a5047d35cacbba5bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTIwECom884w.bat

Filesize
207B

MD5
24adb7d3520e624278d5fc80fe6b5680

SHA1
90d7533d5ed20e31349663679031ba180b8b1cfa

SHA256
3e366c46be3b729fbc2d1b946a8bc61f7ad5cabaaf33fd2a5178ec8df4d732b6

SHA512
0fb2d4470a16a98c5fc35d722ae42ffc51a3ce3e1c71cd7cd6e089dbfdd2a36a6c7251a05c3a321bc57bdfa2a7a00f2f945748397863af8b416b7e0bdbcce518

Download Submit
C:\Users\Admin\Desktop\Fps unlocker.exe

Filesize
3.1MB

MD5
bf656c2e5e1e942c41fa918132faa7ab

SHA1
1c2ddd815378e54db9e21dd2e61d89067c94da4f

SHA256
b70c5aea64d75fc98a82b3c88cfecc6c2856f2a4987f4c1212c3fcf866ec9c9f

SHA512
54bef34ab722d69f1d3b7f5316f1fbc10fc629bb134f70eecb6a368330b7b73305ef5fa0b9e83c104e6e679ccd1d6e7f5a20caf4f39e6b03d4940b4ed9540b7d

Download Submit
memory/1296-6-0x00007FFC064A0000-0x00007FFC06F62000-memory.dmp

Filesize
10.8MB

Download
memory/1296-9-0x00007FFC064A0000-0x00007FFC06F62000-memory.dmp

Filesize
10.8MB

Download
memory/1296-5-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/1296-4-0x00007FFC064A3000-0x00007FFC064A5000-memory.dmp

Filesize
8KB

Download
memory/1528-15-0x000000001D250000-0x000000001D302000-memory.dmp

Filesize
712KB

Download
memory/1528-12-0x000000001D140000-0x000000001D190000-memory.dmp

Filesize
320KB

Download